PraisonAI WebSocket Gateway Missing Authentication – Agent Enumeration and Arbitrary Message Injection

Vulnerability Analysis

Root Cause & Impact: The vulnerability stems from missing authentication checks in two critical endpoints: the /info REST endpoint and the /ws WebSocket handler in gateway/server.py. The /info endpoint directly returns the enumerated list of all registered agent IDs without any token validation, enabling reconnaissance. The WebSocket handler calls await websocket.accept() unconditionally, bypassing any authentication middleware. This creates a complete authentication bypass (CWE-306) where unauthenticated clients can directly interact with the agent topology. An attacker can enumerate active agents and send crafted messages to trigger unauthorized tool execution, lateral movement, or data exfiltration through compromised agents.

Proof-of-Concept Significance: The PoC demonstrates two sequential attacks: (1) passive enumeration via HTTP GET to /info, and (2) active WebSocket connection to /ws without credentials. Both steps succeed on default configurations. The preconditions are minimal—only network reachability to the gateway port. This is highly reliable because it exploits a complete absence of authentication logic rather than a bypassable check. The PoC confirms that any network-adjacent client (internal network, compromised container in same cluster, lateral movement from adjacent service) can immediately begin agent manipulation.

Detection Guidance:

• HTTP Access Logs: Monitor for repeated GET /info requests from unexpected source IPs; baseline legitimate /info access frequency. Flag requests from non-service accounts or external networks.
• WebSocket Logs: Alert on WebSocket upgrade requests (Upgrade: websocket, Connection: Upgrade) without corresponding authentication headers (Authorization, X-Token, etc.). Track WebSocket client count spikes.
• Network Signatures: IDS/IPS rule: detect HTTP requests to /:info endpoint from unauthorized subnets. Monitor for WebSocket protocol upgrades on port 8765 from external networks.
• Application Logs: Capture all WebSocket connection events with source IP and client ID; cross-reference against authenticated session stores to identify orphaned sessions.
• YARA Rule: rule PraisonAI_WebSocket_Enumeration { strings: $s1 = "/info" $s2 = "agents" $s3 = "websocket_endpoint" condition: all of them }

Mitigation Steps:

1. Immediate Patch: Apply GitHub pull request/patch that adds authentication middleware to /info and /ws endpoints. Require valid JWT or API key validation before websocket.accept().
2. Workaround (Short-term): Implement reverse proxy (nginx/HAProxy) rate-limiting and IP allowlisting on the gateway port. Require header-based authentication token checking before forwarding to backend.
3. Configuration Hardening: Bind gateway server to 127.0.0.1 or internal-only network interface; do not expose to untrusted networks. Use firewall rules to restrict access to known service IPs only.
4. Code Changes (Required): Add token extraction and validation in websocket_endpoint() before accept(). Decorate /info with authentication decorator. Implement session management tied to originating authenticated user.
5. Monitoring: Deploy honeypot /info endpoint that logs any access; configure alerting on first unauthorized /info request.

Risk Assessment: Likelihood of exploitation is very high in multi-tenant or internet-exposed deployments. Internal threat actors or lateral movement attackers will prioritize this for agent enumeration. External reconnaissance scanners will identify the endpoint automatically. Given the complete absence of authentication (not weak authentication), exploitation requires zero credential theft or bypasspasswords. Threat actors with network access will exploit this as a first-step foothold to identify downstream agent tools and data flows. Organizations running PraisonAI versions ≤4.5.87 in production environments should treat this as an emergency patch.